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Abstract — Many operations in power grids, such as fault 
detection and event location estimation, depend on precise timing 
information. In this paper, a novel time stamp attack (TSA) is 
proposed to attack the timing information in smart grid. Since 
many applications in smart grid utilize synchronous measure- 
ments and most of the measurement devices are equipped with 
global positioning system (GPS) for precise timing, it is highly 
probable to attack the measurement system by spoofing the GPS. 
The effectiveness of TSA is demonstrated for three applications 
of phasor measurement unit (PMU) in smart grid, namely 
transmission line fault detection, voltage stability monitoring and 
event locationing. 

I. Introduction 

Smart grid (51 has been considered as an emerging technol- 
ogy profoundly changing the modern power grids. To maintain 
the reliability of power systems, wide area monitoring systems 
(WAMSs) [12] are exploited to obtain the real-time system 
status, which is essential for the maintenance and control of 
power systems. The security of WAMSs is one of the prime 
issues in the smart grid technology, since the power grid will 
make operation decisions depending on these measurements 
from the WAMS. Errors of measurements will cause wrong 
operations that may lead to serious damages such as instability 
or even blackout. 

Most studies on security issues in smart grid have been fo- 
cused on how to protect the data integrity of the measurements. 
Accordingly, the attack on the measurements is named the 
false data injection attack (FIA) @ El. Different from FIA, 
which requires hacking into the computer system of power 
grid, in this paper, we identify a potential type of attack to the 
WAMS, coined Time Stamp Attack (TSA), which occurs in the 
physical layer. 

It is well known that the measurements in the WAMS need 
to be time synchronized (31 (T2l . which is often achieved by 
using the global positioning system (GPS). As illustrated in 
Fig. [TJ with a GPS signal receiver, monitoring measurement 
recorders (MMRs) trigger their measurements by the GPS time 
signal. After the measurements are recorded, the time values 
are attached to the measurements, which is similar to posting a 
stamp to the measurements (thus called time stamp). Through 
the communication infrastructure, the measurements with time 
stamps are conveyed to the control center, based on which 
the control center can align the collected measurements for 
analyzing the system state and then take future actions. 
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Fig. 1 : Illustration of synchronized smart grid monitoring with 
GPS spoofer 



Although providing important information, the time stamps 
are vulnerable to attacks, since they can be modified by 
inducing a forged GPS signal 0. Moreover, it is difficult 
for a common civil GPS receiver to detect a spoofing GPS 
signal. The attack can be implemented successfully with a 
high probability, since the attacker even does not need to 
hack into the monitoring system. Although there is some 
data processing procedure to handle the measurements, most 
current processing schemes only consider the measurement 
data error caused by noise and apply a simple smoothing 
filtering scheme. Consequently, TSA can easily bypass the data 
processing procedure. 

In this paper, the impact of TSA will be evaluated for 
three applications of PMU, namely transmission line fault 
detection/locationing, voltage stability monitoring and event 
locationing. Simulation results will demonstrate that TSA can 
effectively deteriorate the performance of these applications 
and may even result in false operation of power system. 

The remainder of this paper is organized as follows. Section 
HJ provides the GPS spoofing attack model from the aspect 
of signal processing. Section Hn briefly introduces the back- 
grounds for applications of PMUs including the transmission 
line fault detection/locationing algorithm, the voltage moni- 
toring algorithm and the event locationing. Simulations for 



demonstrating the impacts of TSA are presented in Section 
HVl Conclusions and future work are provided in Section [Vj 

II. GPS Signal and Attack Model 

In this section, we briefly introduce the GPS signal recep- 
tion processing. Then we propose the attack model for GPS 
spoofing and TSA. 

A. GPS Signal Reception 

The precise timing information from GPS signals includes 
two parts. One is embedded in the navigation messages 
demodulated from the received GPS signals, which has the 
precision of a second; the other part is the precise signal 
propagation time from the GPS satellite to the receiver, which 
has the precision of a millisecond for civil users. 

The system-wide synchronization time reference is referred 
to the coordinated universal time (UTC) tjjTC disseminated 
by GPS, which is given by 



tuTC = Ucv — t p — AtuTC, 



(1) 



where t rcv and t p 



represent the receiver clock time and 
propagation time for the GPS signal, respectively, and Aturc 
denotes the time corrections provided by the GPS ground 
controllers. To obtain the navigation message, we need to 
demodulate the GPS signal. 

The received standard positioning service (SPS) GPS signal 
r(t) is given by 
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r(t) = ^/r fc (2P c )i(C fc (t)©i5 fc (t))cos27r(/Li+A/fe)t+ri(t), 
k=i 

(2) 

where and P c are the channel matrix for the k-th satellite 
and the signal power, respectively, Ck(t) and Dk(t) are the 
spread spectrum sequence (C/A code) and the navigation 
message data from the k-th satellite, respectively, /li and 
Afk are the carrier frequency for civil GPS signal and doppler 
frequency shift for the k-th satellite, respectively, and n(t) 
denotes the noise. The received signal processing includes 
two major steps, namely acquisition and tracking. ^From ©, 
we can observe that the key processing for acquisition is 
to search for the code phase of the receive C/A code and 
doppler frequency shift Afk. By multiplying the C/A code of 
identical code phase with the carrier of the same frequency 
as the received GPS signal, the navigation message can be 
demodulated coherently 0. 

B. Attack Model 

To spoof a GPS receiver, the GPS receiver needs to be 
misled to acquire the fake GPS signal instead of the true one. 
The acquisition is implemented by searching for the highest 
correlation peak in the code phase-carrier frequency two 
dimensional space. Intuitively, the signal with a higher signal- 
to-noise-ratio (SNR) will have a higher correlation peak, which 
is illustrated in Fig. [2 

Therefore, there exists a two-step spoofing strategy. In the 
first step, the spoof er launches a certain interference and 
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Fig. 2: Comparison of correlation peak under normal and 
spoofing attack conditions. 



causes the GPS receiver to lose track. Then, it sends spoofing 
GPS signal when the GPS receiver carries out the acquisition 
processing. Consequently, the GPS receiver will track the fake 
GPS signal due to its higher correlation peak, since the fake 
GPS signal has a higher SNR. 

III. Introduction to Applications of PMU 

In this section, we provide a brief introduction to the 
applications of PMUs requiring precise timing information, 
which include the transmission line fault detection/locationing 
algorithm, the voltage monitoring algorithm and the event 
locationing. 

A. Transmission Line Fault Detection and Locationing 

An algorithm for transmission line fault detec- 
tion/locationing can quickly detect the fault and estimate 
the fault location. Many studies have suggested to utilize 
the measurements at both ends of the transmission line to 
improve the locationing accuracy |[T3l - |[T5l . Here, we briefly 
review the fault detection and locationing method proposed 
in fT4l which utilizes the measurements at both ends and 
thus requires time synchronization. As ifTH focuses on long 
transmission lines, we can extend it to short and medium 
transmission line, which is omitted in this paper due to the 
limited space. 




Fig. 3: Model for long transmission line with fault 

Fig. [3] shows the long transmission line model [18] with 
fault |[T4l . In this model and Vg are the voltages at the 
receiving and sending ends with unit V; I' R and I' s are the 
currents at both ends of the line with unit A. Suppose that 
the total length of transmission line is L miles or kilometers. 
The length from the fault to the receiving end is DL miles or 



kilometers, in which D is the fault location index. Z' SF and 
Z FR are the impedances of each transmission line segment. 
Yg F and Y FR are the admittances of each transmission line 
segment. 

When a fault occurs, the voltage Vp at the fault location 
can be calculated from the measurements, V$ F and I' SF , at the 
sending side, or measurements V FR and I' FR , at the receiving 
side. The computation results of Vf from both sides should 
be equal to each other. Based on this observation, the fault 
locationing index can be estimated as lfT4l : 

ln(7V/M) 



D P 



2 7 L 



where 



N 



V R - ZJ R V s - ZJ S 



exp(7L), 



(3) 



(4) 



A/f Vs + ZJ S Vr + ZJr 

M = exp(- 7 L) , (5) 

where Z c is called the characteristic impedance of the line 
which is equal to Z c = \J Z\jy\. As N and M change 
suddenly because of the fault and their post-fault values are 
greatly larger than the pre-fault one, TV and M can be used 
as the fault indicators fT4ll . Note that the above computation 
needs a perfect time synchronization of the measurements at 
the two ends, which exposing the system to possible TSA. 

B. Voltage Stability Monitoring 

One commonly used method to evaluate the voltage stability 
is to use the Thevenin Equivalent Circuit to simplify the model 
fT9ll . The principle is to model the remote system as a voltage 
source E t h with impedance Zth, and the local load as an 
impedance Zl. The maximum power can be obtained when 
\Z th \ = \Z L \. 
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Fig. 4: Transformed circuit for Power System 

With the Thevenin Equivalent Circuit, two indices for 
voltage stability margin can be obtained fT9l . The first index 
is associated with the load impedance: 



MARGIN^ = 100(1 - fccrit), 



where 



Hh 



Z L 



(6) 



(7) 



The second index is associated with active power delivered to 
the load bus (in p.u.) 

P L ifZ L >Z th 



MARGINp 







ifZ L > Z } 



th 



(8) 



The indices can be used to evaluate the stability. More details 
can be found in fT9l . Note that the above parameters need to be 
estimated from the synchronized measurements, thus making 
the algorithm vulnerable to possible TSA. 

C. Event Locationing 

One of the essential monitoring tasks in smart grid is to 
locate the disturbing event in power grid. When a significant 
disturbance occurs, there will be many symptoms such as 
voltage and frequency violations in both time and space. The 
perturbation will travel throughout the grid @ . Therefore, 
the distributed monitoring devices will capture the variance 
of the measurements and send these data to the monitoring 
system server or exchange with their neighbors. The event 
time and location can be deduced from the time stamp on these 
measurements. After receiving the measurements from these 
monitoring devices, servers need to decide the hypocenter of 
the event, which is typically marked as the wave front arrival 
time Q. On aligning these measurements according to their 
time stamps, the event arriving time at each monitoring device 
can be attained. Consequently, the disturbing event location 
can be deduced by triangulation, which is given by (consider 
four MMRs) 
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= 0, (9) 



when ti,i = 1,2,3,4 is the disturbing event arrival time to 
the z-th MMR, {x^ yi) and (x e ,y e ) are the coordinates of the 
z-th MMR and the disturbing event location, respectively, and 
V e is the event propagation speed in the power grid network. 
Since the coordinates and the arrival time of each MMR are 
known, the Newton's method can be applied to solve these 
equations and attain the event location and time. Obviously, if 
the timing is incorrect, a wrong event location will be deduced 
from the incorrect equations. 

IV. Damage of Time Stamp Attack 

In this section, simulations have been conducted to evaluate 
the damage of TSA on the three applications of PMUs 
introduced in the previous section. Since the main impact 
of TSA on smart grids is the asynchronism of phase angle 
measurements among PMUs, we focus on evaluating the 
impact of the asynchronism on these applications. The phase 
angle errors resulted from TSA at the sending PMU and 
receiving PMU are denoted by AOs and A##, respectively. 
The phase angle asynchronisim between the sending PMU 
and receiving PMU is denoted by A# which is equal to 
A6 R - AOs. 

A. TSA on Transmission Line Fault Detection and Locationing 

The simulation model for transmission line is shown in 
Fig. [21 The parameters for the transmission line are the same 
as those in fT3l . The lengths for long, medium and short 



Fig. 5: Simulation model for transmission line fault locationing 
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Fig. 6: Fault indicators, A and B, for short transmission line 



transmission lines are 400 miles, 50 miles and 25 miles, 
respectively. The total simulation time is 10s, and the fault 
occurs at 5s. 

1 ) Short Transmission Line: Fig. [6] and Fig. [7] show the 
fault indicators, A and B (the computational details will be 
given in our journal version), and the performance of fault 
locationing for short transmission line with different phase 
angle asynchronism AO. Fig. [6] demonstrates that the gaps 
for fault indicators, A and B, decrease as |A0| increases. 
For A, the gaps corresponding to |A0| = 0,5,25 are around 
55, 45, and 20, respectively. In other words, if A is used as 
the fault indicator, the performance of fault detection will be 
deteriorated by TSA. As shown in Fig. [7] the fault locationing 
error is very small even if AO is as large as 30. Therefore, the 
performance of fault locationing for short transmission lines 
is only negligibly affected by TSA. 

2) Medium Transmission Line: Fig. [8] and Fig. [9] depict 
the fault indicators, B and C (the computational details will 
be given in our journal version), and the performance of fault 
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Fig. 7: Performance of fault locationing for short transmission 
line 
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8: Fault indicators, B and C, for medium transmission 
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9: Performance of fault locationing for medium transmis- 
line 



locationing for medium transmission lines with different phase 
angle asynchronism AO. As shown in Fig. [U prior to the fault 
occurrence, the values of B and C (especially C) increase as 
AO increases. When AO is equal to 25, the value of C before 
the fault occurrence is larger than C after fault occurrence 
when there is no phase angle asynchronism. Therefore, the 
false alarm probability would be increased under TSA. As 
shown in Fig. [51 the fault locationing error is proportional to 
A0. When fault location index D is equal to 0.5 or 0.75, the 
fault locationing error is as large as 0.3 when AO is equal to 
30. 

3) Long Transmission Line: Fig. [TO] and Fig. ITTI illustrate 
the fault indicators, N and M, obtained from ^ and the 
performance of fault locationing for long transmission lines 
with Phase ABC fault and different phase angle asynchronism 
AO. Under TSA, the gaps of fault indicators, N and M, 
decrease as AO increases. As the values of the fault indicators, 
N and M, are much more than the fault indicators for short 
and medium transmission lines when fault occurs, the impact 
of TSA does not have much impact on the fault detection 
in long transmission lines. For long transmission lines, the 
fault locationing error is also proportional to the phase angle 
asynchronism AO. When the fault location index D is equal to 
0.5 or 0.75, the fault locationing error is as large as 0.2 when 
AO is equal to 30. Fig. [T2l compares the performance of fault 
locationing with different types of faults under TSA. Fig. [121 
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Fig. 10: Fault indicators: N and M, for long transmission lines 
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Fig. 11: Performance of fault location for long transmission 
lines 



shows that, for type Phase A and type Phase AB faults, the 
performance of fault locationing is worse than that of type 
Phase ABC fault. 

B. Voltage Stability Monitoring 

The simulation model for the voltage stability monitoring is 
shown in Fig. [131 The root mean square amplitude of source 
voltage dynamically changes with frequency 1Hz. The load 
has a constant power. There are three transmission lines. A 
type phase ABC short-circuit fault occurs on transmission line 
1 between 2s and 2.5s. Transmission lines 1 and 2 are tripped 
at time 4s and 6s, respectively. 



-□-Three-phase ABC fault 
X" Single-phase A to ground fault 
Phase-to-phase A fault 




Fig. 12: Performance of fault locationing for long transmis- 
sions line 



The simulation results are shown in Figures [141 [15] and [TSJ, 
respectively. As shown in Fig.[T5j only the power margin index 
MARGINp is affected by the phase angle asynchronism AOr 
caused by TSA. Fig. [T6l illustrates the normalized mean power 
margin index which is defined as 



E 



| MARGINp - MARGINp | 



(10) 



where MARGINp is the estimated power margin index. As 
shown in Fig. [TSJ, the estimated error increases as |A0| 
increases. Another observation from the simulation result is 
that the estimated error is not symmetric with the phase angle 
asynchronism AO. The increasing rate of estimated error for 
a positive AO is much larger than that for a negative AO. 
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Fig. 13: Simulation model for voltage stability 
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Fig. 14: Voltages and currents at the sending and receiving 
ends 
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Fig. 15: Voltage stability indices 

C. Regional Disturbing Event Location 

For the disturbing event location, the sampling is trigged by 
the GPS time signal as illustrated in Fig.Q] A forged GPS time 
signal can control the sampling in a wrong time or provide a 
wrong time stamp for the measurements. The simulation on 
the effect on the event location is shown in Fig. [TTJ It can be 
observed that, with one MMR under TSA, the estimation of 




Fig. 16: Performance of voltage stability monitoring index 1 
with different phase angle asynchronism 



disturbing event will be far away from the true position (the 
event happening in Mississippi is misled to Tennessee). 
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Fig. 17: Simulation of TSA on disturbing event location 



V. Conclusion and Future Works 

In this paper, we have identified the GPS spoofing based 
TSA in power grids. The time stamps are modified by the 
forged GPS signal, and the time stamp related measurements 
will be corrupted by TSA. TSA in several scenarios have 
been studied in this paper. For the transmission line fault 
detection and locationing, TSA can not only deteriorate the 
performance of fault locationing, but also increase the false 
alarm probability with some fault indicators. For the voltage 
stability monitoring, TSA can exaggerate the power margin 
and result in delaying or disabling the voltage instability alarm. 
It has also been demonstrated that the TSA can significantly 
damage the event location in power grid. 

In our future work, we will study the protection scheme 
against TSA. From the viewpoint of signal processing, the fake 
GPS signal cannot erase the true GPS signal as illustrated in 
Fig. [2 To mislead the GPS signal tracking, the spoof er must 
transmit a fake GPS signal with a higher SNR; thus we can 
detect the TSA by the SNR of the correlation peak. Since the 
spoofer's fake GPS signal has a significant direction of arrival, 



TSA may also be detected by applying the direction of arrival 
(DOA) discrimination Q, which will be further studied in our 
future work. 
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